Digital crimes lead investigators to use drive-scanning software

'Criminals are now automating their entire world,' said Sgt. James Doyle, so law enforcement officials have little choice but to become tech-savvy.

The retired New York Police Department investigator told the audience at the recent Computer and Enterprise Investigations Conference 2002 in Chantilly, Va., that crimes involving computers are so pervasive that only advanced technology can sift through the gigabytes of digital evidence.

Doyle, who was a member of the NYPD's Computer and Investigation Technology Unit, described Operation CEO, an identity fraud case that has become an example of how technology is used to commit crimes as well as solve them.

The perpetrator, Abraham Abdullah, leased a car under a false name. As he drove out of the dealership parking lot, police stopped him for speeding and found he didn't have a driver's license.
Abdullah had created his false identity online. There was lots of physical evidence, Doyle said, but it was the evidence on Abdullah's notebook PC that eventually resulted in his arrest and incarceration.

Doyle scanned Abdullah's hard drive and found all the IP addresses used for his ID falsification scheme, including e-mail correspondence and other files.

Scanning IP addresses has proved crucial to many cases, particularly in child pornography and abduction cases, Doyle said.

He recounted his use of EnCase Forensic and EnCase Enterprise, computer forensics applications from Guidance Software Inc. of Pasadena, Calif., to track down a murderer and rapist who had abducted a young girl.

The missing girl had had an e-mail relationship with the perpetrator. Using EnCase, he scanned the hard drive of the girl's computer and found her deleted correspondence. 'They were corresponding right before she disappeared,' Doyle said.

In another case involving a New York City girl's disappearance, Doyle's review of her e-mail and online chats led him to figure out that no one had kidnapped her. A relative had taken her in.
'This is the level kids are at, and parents don't have a clue,' he said. During his scans, Doyle found her screen name and a boyfriend no one knew about.

Doyle said he has been using EnCase for as long as computers have been used for crimes.

The company's first big order was from the Secret Service in 1998 for its Electronic Crime Special Agent Program, said John Patzakis, president and chief legal officer of Guidance Software. ESCAP trains agents in digital forensics. The Secret Service paid $50,000 for the software, Patzakis said.

EnCase scans files under Microsoft Windows operating systems. It cannot read files under Apple Mac OS X, the shareware Unix-like operating system OpenBSD or Sun Solaris.

Time-line view

The investigator uses EnCase to copy a suspect system's files and drive contents onto a virtual drive 'that allows us to be noninvasive,' Patzakis said. Otherwise, he said, 'you're trampling all over the investigation scene.'

Examiners normally only run text searches and look at images, Patzakis said. 'If they run significant analyses, they take a time-line view of sequences of files,' he said. 'They look for known files, hacker tools or files associated with criminal activity.'

So long as the hard drive is in working condition, investigators can copy and analyze its contents. If a drive has been destroyed, investigators sometimes can still get at the data with recovery applications and techniques.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected